They Said It Would Be Different This Time
In November 2024, Anthropic quietly released something called the Model Context Protocol. Almost nobody noticed. By the time the NSA published a formal security advisory eighteen months later, the protocol was already inside 97 million monthly downloads across corporate networks, startups, government agencies, and everywhere else.
Here is what happened in between: 30+ CVEs. One tenant isolation failure that exposed roughly 1,000 enterprises. A support ticket that leaked database tokens. At least six major breaches in real companies that never made headlines because they happened through a protocol most security teams had never even heard of.
This is a story about how the fastest-growing technology in AI became one of the biggest blind spots in enterprise security. And more importantly, what you need to do about it before an attacker finds the gap in your environment.
The Growth Numbers Are Bonkers
In November 2024, MCP SDK had roughly 100,000 downloads.
By the end of Q1 2026, it hit 97 million monthly downloads. That is not a typo. That is a 970x increase in 18 months.
To put that in perspective:
⚙️ Kubernetes
Took 3 full years to reach 50 million monthly downloads. Set the foundation for cloud container orchestration slowly and deliberately.
🐋 Docker
Took 5 years to reach mainstream global enterprise adoption. Radically redefined local development workflows gradually over half a decade.
🔌 Model Context Protocol
Reached 97 million monthly downloads in just 1.5 years (18 months). The fastest-adopted technical protocol in enterprise software history.
How many production MCP servers are running right now? Conservative estimates put the number between 10,000 and 15,926 depending on which registry you count.
Here is the kicker: 41% of software organizations report they are already in production with MCP (Stacklok 2026 survey). That means by the time your security team finished reading the NSA advisory, a significant portion of the enterprise world had already integrated MCP into critical workflows without a formal risk assessment.
You know what this reminds me of? 2016. Cloud adoption was happening. AWS was everywhere. Security teams were still writing policies for on-premises infrastructure. We are living in that exact moment again. Except the agents are moving much faster than humans ever could.
What Actually Is MCP, and Why Should You Care?
Let me use the simplest definition first: MCP is a standard protocol that lets AI agents talk to tools and databases.
Before MCP, if you wanted your AI assistant to access Gmail, you hand-coded that integration. Same with Slack. Same with your database. Same with GitHub. If you had 10 different systems, you built 10 different integrations.
MCP says: stop. Use one standard. Servers advertise what they offer. Clients consume it. Done.
The Productivity Gain
Microsoft's internal sales development agent uses MCP. In one year, it contacted 61,734 leads and produced a 15.1% boost in lead-to-opportunity conversion rates. Imagine that multiplied across every enterprise function. Finance agents. HR agents. Engineering agents. Every one of them suddenly became an order of magnitude more capable because they could plug into existing infrastructure in a standard way.
Wall Street loves it. CIOs love it. Gartner projects 40% of enterprise applications will embed AI agents by 2026 (up from less than 5% in 2025).
But here is the problem: every single one of those agents is now a gateway into your most sensitive systems.
The USB-C Analogy Works Both Ways
USB-C unified the world. One cable. One connector. Every device could work with every other device.
It also meant that one compromised cable could carry malware into every ecosystem that touched it.
MCP is the USB-C moment for AI. The standardization is real. The network effects are real. The adoption is real. And the risk concentration is also real.
Risk Concentration: Without MCP, integration complexity rises quadratically. With MCP, it increases linearly. MCP made the hard problem easy. But easy problems attract bad actors faster than hard problems do.
The First Breach Already Happened. You Probably Didn't Hear About It.
Asana. May/June 2025.
Asana launched an MCP server on May 1 to let customers automate workflows. By mid-June, a security firm found a bug in the tenant isolation logic. The MCP server was leaking data from one customer's organization into another customer's instance.
How many customers were affected? Approximately 1,000 enterprises. For two weeks, users could see other companies' project names, task descriptions, and metadata that did not belong to them.
Supabase + Cursor. Mid-2025. The Lethal Trifecta.
A developer used Cursor with MCP access to a Supabase database. The agent had service_role privileges, which bypass row-level security. So the agent had root-level access to the database.
The agent also processed support tickets. Customer support tickets. Unvetted input.
An attacker filed a support ticket containing instructions disguised as plain text:
The agent read it. The agent did it. The tokens posted into the public support thread.
Nobody broke in. Nobody compromised credentials. Nobody installed malware. An attacker simply wrote text in a place the AI agent could read it, and the agent treated that text as a command.
This is called the lethal trifecta for a reason:
- Privileged access (service-role database credentials)
- Untrusted input (unvetted support tickets)
- External communication channel (public support thread)
All three together equals a guarantee of data exfiltration.
Your WAF, Your EDR, Your SIEM — None of Them See This
This is the part that keeps security leaders up at night.
A traditional data exfiltration looks obvious to your tools. Large file transfer. Unusual IP. Geographic anomaly. Your DLP lights up. Your EDR flags it. Your SIEM correlates the events.
An AI agent reading your database and posting results to a support ticket? That looks like normal application behavior to every monitoring tool you own.
The MCP traffic is HTTPS. It looks encrypted. The tool descriptions are JSON. They look benign. The model processes the request. It looks like legitimate API usage.
That is not a vulnerability. That is a structural blindness.
Tool Poisoning: The Attack Hidden in Plain Sight
Let me give you a concrete example. An MCP server advertises a tool like this:
The AI model reads this and uses it normally. But an attacker runs their own MCP server, or compromises a legitimate one, and changes the description to:
The human? Never sees this. The tool looks normal. The AI model? Reads this. Trusts it. Includes the SSH key in every response. The attacker now owns a private key that gives them access to the entire infrastructure.
This is called tool poisoning. It is a form of indirect prompt injection. And the research is terrifying.
"More capable models are MORE vulnerable, not less"
— MCPTox Benchmark, Testing 20 Major AI ModelsMCPTox, a benchmark that tested 20 major AI models against tool poisoning attacks, found:
- o1-mini was tricked 72.8% of the time
- More capable models were MORE vulnerable, not less
- Claude 3.7-Sonnet refused these attacks less than 3% of the time
The worst part? There is no obvious moment when the attack succeeds. The model just reads the description once, when the server first connects. Then every single tool call carries the hidden instruction. Silently. Consistently. Until somebody notices.
The CVE Timeline Is Accelerating
MCP shipped in November 2024. By April 2026 — 17 months later — researchers disclosed a "by design" flaw in Anthropic's core MCP specification that enabled remote code execution across 7,000+ servers.
In between, the CVE count looked like this:
| Identifier | Component / Context | Impact Type | Severity |
|---|---|---|---|
| CVE-2025-6514 | mcp-remote (558K+ downloads) |
Remote Command Injection | CRITICAL |
| CVE-2025-49596 | MCP Inspector utility |
Remote Code Execution (RCE) | CRITICAL |
| CVE-2026-23744 | MCPJam server client |
Missing Authentication & Exploit Chains | HIGH |
| CVE-2026-33017 | Langflow pipeline client |
Malicious Code Injection RCE | CRITICAL |
| CVE-2025-59536 | Claude Code developer agent |
API Token Leak & Local Credential Theft | HIGH |
Note: Over 30+ distinct CVEs have been disclosed in the broader Model Context Protocol ecosystem over the last 15 months alone, with 13 rated critical.
The pattern is consistent: vulnerabilities shipped fast, security caught up slow.
Most MCP servers are maintained by individual developers. No security process. No bug bounty program. No SLA for patches.
Five Questions Every CISO Should Ask Before Approving MCP
-
1. What MCP servers are running in our environment right now?
Create a mandatory inventory. Discover and list every active MCP server, client, and developer config file across your networks. If you cannot catalog it, assume it is an unmanaged risk.
-
2. What credentials does each server hold, and what is the blast radius?
Evaluate credential storage and enforce strict workload identities. Implement automatic 90-day rotations and eliminate all static, long-lived access tokens.
-
3. Do we enforce Human-in-the-Loop (HITL) for high-impact tool calls?
Mandate manual verification gates for destructive or highly-privileged tool executions (write, delete, send). A two-second human delay is worth a prevented breach.
-
4. Where do we have the "lethal trifecta" exposed?
Conduct audits to locate agents that simultaneously combine: root-level database access + unvetted public inputs + external outbound communications. Restrict at least one node immediately.
-
5. Who owns incident response for MCP-specific agentic breaches?
Formally define operational ownership for AI agent exploits. Establish quick-revoke access procedures and dedicated forensics protocols for LLM context leaks.
What You Should Do Before the End of Q2
You do not need to ban MCP. That ship sailed. Shadow MCP will only grow if you block it openly. You need to govern it.
Here is the minimum viable security program for MCP in your enterprise:
- Inventory (This month): Find every MCP server. Every client. Every configuration.
- Credential rotation (This month): Rotate credentials to 90-day cycles. No more long-lived tokens.
- Least privilege (Next month): Map what each MCP server actually needs to access. Cut permissions down to minimum.
- Human in the loop (Next month): Enforce approval workflows for write, delete, send operations.
- Marketplace control (Next month): Define which MCP registries are approved. Ban everything else.
- Detection (This quarter): Add MCP traffic patterns to your SIEM. Look for unusual tool access patterns, privilege escalation chains, external communication to unexpected addresses.
The Comparison That Matters
Ten years ago, every enterprise moved to the cloud. Security lagged adoption by 3-5 years. We got breaches. We got regulations. We built CSPM tools, API gateways, and cloud-native firewalls.
The cycle was expensive. It took years. Companies paid the education tax in breach costs.
MCP and AI agents are starting that same cycle. The adoption curve is steeper. The blast radius is wider. The protection tools are nascent.
You get to choose: learn from the last decade, or repeat it.
The organizations that treat MCP servers like privileged identities, tool poisoning like a real threat class, and AI agents like users that need governance will outpace competitors who treat it like a nice-to-have.
The organizations that wait for the breaches to teach them will pay the education tax again.
Written by: Krishna Muduli, CISSP | Cybersecurity Lead Engineer
For: KM CIPHER — Enterprise AI Security
Published: May 30, 2026
Further reading: NSA MCP Security Design Considerations (May 2026) • OWASP LLM Top 10 • MCPTox Benchmark Paper • Lakera AI Indirect Prompt Injection Research